authz

package
v0.0.66 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 15, 2024 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package authz provides the authorization utilities for minder

Package authz provides the authorization utilities for minder

Index

Constants

This section is empty.

Variables

View Source
var (
	// AllRolesDescriptions is a list of all roles
	AllRolesDescriptions = map[Role]string{
		RoleAdmin:              "Admins have full permissions on the project. In addition to the editor permissions, users with this role can modify the project, enroll additional providers, and manage roles for other users within the project.",
		RoleEditor:             "In addition to the viewer permissions, editors can author profiles and rule types, as well as add resources to manage. Editors cannot enroll additional providers or change or delete projects.",
		RoleViewer:             "Provides read-only access to the project. Users with this role can view associated resources such as enrolled repositories, rule types, profiles and the status of rule evaluations.",
		RolePolicyWriter:       "Allows users to create rule types and profiles. Unlike editors, policy writers cannot add or remove resources from the project.",
		RolePermissionsManager: "Allows users to manage roles for other users within the project.",
	}
	// AllRolesDisplayName is a list of all roles with their display names
	AllRolesDisplayName = map[Role]string{
		RoleAdmin:              "Admin",
		RoleEditor:             "Editor",
		RoleViewer:             "Viewer",
		RolePolicyWriter:       "Policy Writer",
		RolePermissionsManager: "Permissions Manager",
	}
	// AllRolesSorted is a list of all roles sorted
	AllRolesSorted = []Role{RoleAdmin, RoleEditor, RoleViewer, RolePolicyWriter, RolePermissionsManager}
	// AllRolesVerbs is a list of all roles with their verbs
	AllRolesVerbs = map[Role]string{
		RoleAdmin:              "administer",
		RoleEditor:             "edit",
		RoleViewer:             "view",
		RolePolicyWriter:       "write policies for",
		RolePermissionsManager: "manage permissions for",
	}
)

nolint:lll

View Source
var ErrNotAuthorized = fmt.Errorf("not authorized")

ErrNotAuthorized is the error returned when a user is not authorized to perform an action

View Source
var (
	// ErrStoreNotFound denotes the error where the store wasn't found via the
	// given configuration.
	ErrStoreNotFound = errors.New("Store not found")
)

Functions

This section is empty.

Types

type Client

type Client interface {
	// Check returns a NotAuthorized if the action is not allowed on the resource, or nil if it is allowed
	Check(ctx context.Context, action string, project uuid.UUID) error

	// Write stores an authorization tuple allowing user (an OAuth2 subject) to
	// act in the specified role on the project.
	//
	// NOTE: this method _DOES NOT CHECK_ that the current user in the context
	// has permissions to update the project.
	Write(ctx context.Context, user string, role Role, project uuid.UUID) error
	// Delete removes an authorization from user (an OAuth2 subject) to act in
	// the specified role on the project.
	//
	// NOTE: this method _DOES NOT CHECK_ that the current user in the context
	// has permissions to update the project.
	Delete(ctx context.Context, user string, role Role, project uuid.UUID) error

	// DeleteUser removes all authorizations for the given user.
	DeleteUser(ctx context.Context, user string) error

	// AssignmentsToProject outputs the existing role assignments for a given project.
	AssignmentsToProject(ctx context.Context, project uuid.UUID) ([]*minderv1.RoleAssignment, error)

	// ProjectsForUser outputs the projects a user has access to.
	ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error)

	// PrepareForRun allows for any preflight configurations to be done before
	// the server is started.
	PrepareForRun(ctx context.Context) error

	// MigrateUp runs the authz migrations
	MigrateUp(ctx context.Context) error

	// Adopt stores an authorization relationship from one project to another
	Adopt(ctx context.Context, parent, child uuid.UUID) error

	// Orphan removes an authorization relationship from one project to another
	Orphan(ctx context.Context, parent, child uuid.UUID) error
}

Client provides an abstract interface which simplifies interacting with OpenFGA and supports no-op and fake implementations.

func NewAuthzClient

func NewAuthzClient(cfg *srvconfig.AuthzConfig, l *zerolog.Logger) (Client, error)

NewAuthzClient returns a new AuthzClientWrapper

type ClientWrapper

type ClientWrapper struct {
	// contains filtered or unexported fields
}

ClientWrapper is a wrapper for the OpenFgaClient. It is used to provide a common interface for the client and a way to refresh authentication to the authz provider when needed.

func (*ClientWrapper) Adopt

func (a *ClientWrapper) Adopt(ctx context.Context, parent, child uuid.UUID) error

Adopt writes a relationship between the parent and child projects

func (*ClientWrapper) AssignmentsToProject

func (a *ClientWrapper) AssignmentsToProject(ctx context.Context, project uuid.UUID) ([]*minderv1.RoleAssignment, error)

AssignmentsToProject lists the current role assignments that are scoped to a project

func (*ClientWrapper) Check

func (a *ClientWrapper) Check(ctx context.Context, action string, project uuid.UUID) error

Check checks if the user is authorized to perform the given action on the given project.

func (*ClientWrapper) Delete

func (a *ClientWrapper) Delete(ctx context.Context, user string, role Role, project uuid.UUID) error

Delete removes the given role for the given user and project

func (*ClientWrapper) DeleteUser

func (a *ClientWrapper) DeleteUser(ctx context.Context, user string) error

DeleteUser removes all tuples for the given user

func (*ClientWrapper) MigrateUp

func (a *ClientWrapper) MigrateUp(ctx context.Context) error

MigrateUp runs the authz migrations. For OpenFGA this means creating the store and writing the authz model.

func (*ClientWrapper) Orphan

func (a *ClientWrapper) Orphan(ctx context.Context, parent, child uuid.UUID) error

Orphan removes the relationship between the parent and child projects

func (*ClientWrapper) PrepareForRun

func (a *ClientWrapper) PrepareForRun(ctx context.Context) error

PrepareForRun initializes the authz client based on the configuration. This is handy when migrations have already been done and helps us auto-discover the store ID and model.

func (*ClientWrapper) ProjectsForUser

func (a *ClientWrapper) ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error)

ProjectsForUser lists the projects that the given user has access to

func (*ClientWrapper) StoreIDProvided

func (a *ClientWrapper) StoreIDProvided() bool

StoreIDProvided returns true if the store ID was provided in the configuration

func (*ClientWrapper) Write

func (a *ClientWrapper) Write(ctx context.Context, user string, role Role, project uuid.UUID) error

Write persists the given role for the given user and project

type Role

type Role string

Role is the role a user can have on a project

const (
	// RoleAdmin is the admin role
	RoleAdmin Role = "admin"
	// RoleEditor is the editor role
	RoleEditor Role = "editor"
	// RoleViewer is the viewer role
	RoleViewer Role = "viewer"
	// RolePolicyWriter is the `policy_writer` role
	RolePolicyWriter Role = "policy_writer"
	// RolePermissionsManager is the `permissions_manager` role
	RolePermissionsManager Role = "permissions_manager"
)

func ParseRole

func ParseRole(r string) (Role, error)

ParseRole parses a string into a Role

func (Role) String

func (r Role) String() string

Directories

Path Synopsis
Package mock provides a no-op implementation of the minder the authorization client
Package mock provides a no-op implementation of the minder the authorization client

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL